CIS recently became aware of a massive spam campaign targeting users in various sectors. Phishing emails used in the campaign contains a PDF attachment named Invoice621785.pdf. This attachment is a weaponized PDF document exploiting a vulnerability in Adobe Reader (CVE-2013-2729). After successful exploitation, user's system will download additional malware from hxxp://rlmclahore.com/Resources/Search/1510out[.]exe. This is a banking trojan similar to Zeus/Citadel that it targets sensitive user information including banking credentials. As of this writing, all of the major AV products are detecting this malware as Tojan Dyre/Zbot/Fondu.

Phishing Email Characteristics:

Subject: "Unpaid invoice" [Please note the typo in the subject line]

Attachment: Invoice621785.pdf

System Level Indicators (If successful in exploitation):

Copies itself under C:\Windows\[RandomName].exe

Created a Service named ""Google Update Service" by setting the following registry keys: